My customer would like to manage authorization for applications.
The number of application is not limited.
The autorization process is preaty complex.
Below an example:
Functionary Code: different roles within the application.
A person can only have one functionary code for an application for a specific company)
A standard profile
B application manager
D custodian of rates
E rates consulting
F head application manager
H custodian of external bank accounts
Power of attorney code
CD access to accounts of ACME staff allowed
CE access to accounts of ACME staff is blocked
A person can only have one "Power of attorney" code for an application for a specific company)
0001 : OPT bank
0002 : OVK bank
0019 : UVF bank
The idea is to create an agent (real or virtual) to manage the ressources and autorizations.
If it's a real agent, we will simply manage it as any other managed system.
If it's a virtual agent (no managed system connection) we will use the agent as an input/output to store the data to ESS DB by an import of the access from the agent then push them back to grant the authorization.
In fact, it's like a simple agent (based or less) but it should manage by import/export the authirization.
Thanks in advane for your help.
The ESS and agents are designed to grant access based on group permissions, so the permissions themselves could be defined and roles created within the ESS to administer who is connected to those permissions. However, your statement on "grant authorization" makes me think you are actually wanting the ESS to intervene at log in time to either grant or deny the access to a specific level of an application.
If I am reading that correctly, what you are describing sounds like our Web Access Manager (WAM) solution that we transitioned to Symphony Services. I have not heard of anyone doing that level of fine-grain access control using ESS and our standard agents. Our agents provision accounts and grant permissions (via group memberships) to a specific platform, application, database, etc. The security within the application/platform/etc then manages the authentication/authorization; ESS/IDM does not get involved in that process. To be more clear, the ESS is not called when a user attempts to log in to an application or database.
By contrast, the WAM solution has an enforcement agent that sits in front of the web application and presents specific web pages based on their authentication and authorization levels. This solution only supports web applications, but sounds like what you are describing. I do not think it is possible or advisable to try and customize the ESS/IDM Suite to act as an authorization mechanism for an application. The performance impact would be considerable as you would basically have to intercept every transaction (which would require a local agent) and run authorization tasks against it before the user could log in. That is not the way ESS is designed.
Ellen S Harbour
Software Consulting Practice Lead
ITIL v3 Expert
For me this description sounds a bit different. My understanding is that they want to check a possibility to use ESS DB as a storage of relevant security information (which is it is, btw) such as roles, resources and its relations, and then to have all relevant applications to refer to this data directly.
In another words - instead of having our standard agents to push security settings from the ESS to application(s) repositories, they want applications itself to refer to central repository (which is ESS DB), using either SQL or ESS interfaces.
By this approach we still can use all built-in functionality (profiles, templates, exits, etc), so IdM engine used with full power of it, but it will be needless to spread all decisions outside over all real repositories of those applications.
I would call such options as a "centralized virtual security repository"(CVSR). And a broker which will be used by applications to access ESS DB data they offered to call a "virtual agent"...
Nice idea, btw...worth to check...
Thanks, Ellen! You know how to worm my old heart... :-)
I honestly don't think I understood it better, I just understood it different and pointed on another approach they also may thought about.
You know better then me - in reality customer by himself not always understand what he need, so in most cases we should show him on his target.
But not for this specific customer - they knows exactly what they need and just looking how they can have it with BMC IDM solution...